Find Manufacturer/NMEA Dealer
 Find a Product
 Company Name
 Zip/Postal Code


NSO Evo3

TracPhone V7HTS

IC-M506 VHF Marine Transceiver

Onboard cyber security--know your vulnerabilities

By Jim Fullilove
MEJ Editor

Unwanted intrusions into our cyber lives are all too common these days, whether it’s viruses downloaded via bogus offers that lock up the works, ransomware that holds your computer system hostage until a fee is paid or some hacker that mines your device for personal information. For boaters there’s also the possibility that your GPS or AIS (Automatic Identification System) can be jammed or spoofed, which boils down to the devices providing false positioning information. 

When I’ve talked to people in the marine business who are involved in cyber security, they often downplay the probability that recreational boats will be subject to cyber attacks. They argue that there’s nothing to be gained by hacking into a boater’s communication device—and possibly delivering a virus to the boat’s electronic network--by way of a phishing email or viral attachment. I’m not so sure about that. Full connectivity provides many benefits, but it also brings vulnerability. 

Virus hamstrings a containership

A good example occurred a few years ago aboard a commercial vessel—a containership. A crewman plugged his smartphone into a USB port on the helm to charge it. Unbeknownst to the crewman the phone contained a virus that wiggled its way into the ship’s Electronic Chart Display and Information System—a very sophisticated type of integrated multifunction display—and crashed it. Fortunately the ship was dockside and not at sea. If things like this can happen aboard a large ship, it can also cause havoc or worse on a sportfishing machine or family cruiser.

As for the "what’s to gain argument,” how about downloading ransomware that finds its way into your MFD and from there perhaps into your engine controls and locks things up until you pay the ransom?

I had an opportunity to sit in on a presentation at the NMEA Conference & Expo by cyber security consultant Gary Kessler (Gary Kessler Associates). He put a fine point on the magnitude of the problem. In the maritime industry, 80% of large companies reported a cyber attack in the prior year. (Kessler pic) Ten percent reported a successful breach while 28% reported a thwarted attempt. Among large companies, 69% were confident of their defense readiness, while only 6% of small companies and 19% of midsize companies felt prepared. At the same time, only 6% of those small companies had cyber security insurance.

"Marine systems are a target,” a PowerPoint slide pointed out. "Dealers, vendors and manufacturers have the same vulnerability as everyone else, including cybercrime and cyberfraud, hacking, supply chain vulnerabilities and intellectual property theft. If marine electronics have weak security, those products–and their supply chain–will be targets of cyber-based attacks.” 

Networks are vulnerable

He said vessels are particularly vulnerable because of networked systems, including bridge navigation, communications, propulsion, steering, monitoring, security, cargo handling and bilge management and others. Kessler warned of poor security in protocols and network design, pointing to satcom terminals that may be exposed on the Internet and administrative interfaces that are accessible via insecure protocols as well as no message authentication or encryption. Another major area of concern and exposure is "poor security hygiene” by users with easy-to-guess passwords. Other attacks include ransomware demands, especially if that involves a ship’s control systems while at sea, as well as jamming and spoofing GPS and AIS.

Kessler concluded with this recommendation: If you know what your systems’ vulnerabilities are, you’ve got a shot at understanding the threats—the probability that the weaknesses will be exploited and by whom. If you focus mostly on the threats and not the vulnerabilities, you’re probably already in trouble. 

We’re in the process of backgrounding the severity and likelihood of cyber attacks that target both recreational and commercial vessels for an extended article or two in Marine Electronics Journal. When we publish it we’ll share that information with you via The Mic. Meantime, we recommend that you heed Kessler’s warning and advice.

Related Articles:
No News For this Zone. Please Try Later

Comments | Leave a Comment
No comments right now.

Search Articles: